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Support For Multiple Login Method 

Field of the Invention 

[001] The present invention relates to a method for allowing people to access data 
through a plurality of mechanisms and more precisely to a method for supporting 
multiple login. 

Background of the Invention 

[002] Computer security is fast becoming an important issue. With the proliferation 
of computers and computer networks into all aspects of business and daily life-financial, 
medical, education, government, and communications-the concern over secure file 
access and data communications is growing. One method of preventing unauthorized 
access to files is by using encryption and cipher techniques. These techniques convert 
data into other forms of data in a fashion that is reversible. Once encrypted, the data is 
unintelligible unless first decrypted. RSA, DES and CAST are known encryption 
techniques, which are currently believed to provide sufficient security for computer 
communications and files. 

[003] Each of these encryption techniques uses a cipher key. Such a key is crucial to 
the encryption/decryption process. Anyone with a correct key can access information 
that has previously been encrypted using that key. The entry of the key from the 
keyboard is impractical since a user must remember such a key for entry and as such is 
liable to be discovered by an individual desiring access to existing encrypted files. 

[004] Further, there is great concern over communication of keys within commercial 
and governmental offices. It is common for users to inform others of their keys or to 
transfer their keys to others for use during holidays, sick days, or even as a reminder of 
the key should the user forget. Also, keys are often written down at the workstation in 
case a user should forget. Such written passwords undermine the security of many 
systems. 
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[005] In DES encryption, the key is a numerical value, for example 56 bits in length. 
Such a key can be used to encrypt and subsequently to deciypt data. The security of the 
data once encrypted is sufficient that the key is required to access the data in an 
intelligible form. Thus the security of the data is related to the security of the key. 

[006] Some encryption systems use keys stored on the same device as the encrypted 
files. This is akin to storing a lock and its key in the same location. A knowledgeable 
user gaining access to the device could locate the key and access the data. Other 
encryption systems use keys stored on portable cards. Such a key is accessed via a 
password entered at the keyboard. Other users can take such a portable card and such a 
password can be discovered. The portable card is equally subject to transfer between 
employees and improper storage-at a user's desk. 

[007] A security access system that provides substantially secure access and does 
not require a password or access code is a biometric identification system. A biometric 
identification system accepts unique biometric information from a user and identifies the 
user by matching the information against information belonging to registered users of the 
system. 

[008] Unfortunately, a device specifically designed to gain access to a system 
secured through biometric information is plausible. Such a device connects to a personal 
computer in a same fashion as a contact-imaging device but does not require provision of 
biometric information. Some forms of infiltrating biometric systems include a record- 
play back attack wherein biometric information is intercepted, recorded, and then played 
back at a later time; repeat pattern sending, wherein patterns are sent to the biometric 
identification system until an authorization occurs; etc. It would be advantageous to 
restrict the use of third party contact imaging systems with a security identification 
system in order to improve security. 

[009] Typically, data or information is secured on a hard drive by using an 
encryption key to encrypt data and decryption key to restore the data. Thus, providing a 
password to the system activates the encryption/decryption key that allows encryption or 
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decryption of the data. A major concern exists when considering a security system based 
upon such system; the key and the encrypted data are stored on the same hard drive. As 
such, knowing a user's password give access to the encrypted data. 

Object of the Invention 

[0010] It is an object of this invention to provide a key data to a system, the key data 
being encoded using a data value in the form of a password. 

[0011] It is another object of this invention to transform the key data using a reversible 
hash process. 

[0012] It is a further object of this invention to allow an individual to access 
encrypted data through a plurality of mechanisms. 

[0013] It is another further object of this invention to provide a method for supporting 
multiple login. 

Summary of the Invention 

[0014] In accordance with a preferred embodiment of the present invention, there is 
provided a method of securing security data stored on a computer system comprising the 
steps of: providing a data key to the computer system; transforming the security data with 
the data key in a reversible fashion to produce encoded secure data such that the data key 
is required in order to perform a reverse transform and extract the security data from the 
encoded secure data; and, storing the encoded secure data in a fashion such that a user 
authorization process is used to retrieve the encoded secure data such that the data key 
and the user authorization process in combination, provide access to the security data and 
such that the stored data within the computer system is encoded. 

[0015] In accordance with another preferred embodiment of the present invention, 
there is provided a method of securing security data stored on a computer system 
comprising the steps of: providing a biometric information source and comparing the 
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biometric information source against stored templates associated with the biometric 
information source; and for, in dependence upon a comparison result pairing biometric 
information source with a first individual identity; providing a data key associated with a 
second individual identity; the data key being other than stored on the computer system; 
retrieving encoded security data associated with the biometric information, and using the 
key data for decoding the encoded security data 

[0016] In accordance with another preferred embodiment of the present invention, 
there is provided a method of securing data stored on a computer system comprising the 
steps of: providing a first information sample to a computer system; hashing the first 
information sample to produce a first hash value; encoding key data in dependence upon 
the first hash value to produce first security data, the key data for use in decoding stored 
encoded data; providing at least one biometric information sample; securing the first 
security data in dependence upon at least one of the at least one biometric information 
sample. 

Brief Description of the Drawings 

[0017] Exemplary embodiments of the invention will now be described in 
conjunction with the following drawings, in which; 

[0018] Fig. 1 is a flow diagram of a prior art method of associating a password to a 
fingerprint upon a match of a fingerprint with an associated template; 

[0019] Fig, 2a is a flow diagram of a method of securing security data stored on a 
computer system; 

[0020] Fig. 2b shows a method of accessing the secured data stored on a computer 
system according to a preferred embodiment of the present invention; 

[0021] Fig. 3 is a flow diagram of a method of getting an authorization to proceed 
according to the invention. 
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Detailed Description of the Invention 

[0025] In password based security systems, secure data such as encryption keys are 
stored encoded based on the password to access same. In effect, a password must be 
provided in order to access the encryption keys stored within the system. Since the 
password is not stored anywhere within the data store, it is very difficult to decode the 
encryption keys without having actual knowledge of the password. 

[0026] The security systems wherein biometric information is used for identifying 
and authorizing access to an individual mostly rely on a prior art method as shown in 
Fig.l. After biometric information sample, in a form of a fingertip for example, has been 
provided to a system, the fingertip is imaged and the fingerprint is characterized. During 
the process of identification, the fingerprint is compared to stored templates associated 
with fingerprints of the person - for a one-to-one identification system - or of any person 
susceptible to access the system - in a one-to-many identification system. Upon a 
positive result of the comparison, when there is a match between the provided fingerprint 
and a stored template associated with a fingerprint, the system provides a password 
associated with the stored template and the user is identified and authorized. According 
to such a method, passwords are stored with the templates giving rise to security 
concerns. Moreover, when the system uses encryption to secure the passwords, the 
decryption key is stored within the system and as such a skilled person may find the 
decryption key given sufficient time by simply mining the data store. 

[0027] The use of a biometric imaging device with a personal computer is considered 
inevitable. Unfortunately, a sample of biometric information is unchanging. Once a 
person has left their fingerprint on a table, or a glass, or a window, it is available to 
everyone. Once someone is in possession of a fingerprint, that fingerprint is known and 
cannot easily be modified. Therefore, data cannot simply be encoded using fingerprint 
data. 

[0028] A major problem with a security system as described is that the password for 
accessing to the data is stored on the hard drive secured by the biometric information. 
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Furthermore, the password when provided gives access to an encryption/decryption key 
on the same system or another system. When the key is decoded, the data are retrievable 
in an intelligible human language. As is apparent to a person with skill in the art, the key 
and the encrypted data are stored in a same system. As such, as soon as a user's 
password is found by an unauthorized person - for example through a process of data 
mining, the encryption/decryption key and the encrypted data stored on the same hard 
drive are accessible, and the system security is breached. 

[0029] To overcome such a major inconvenience, Fig. 2a illustrates in flow diagram a 
method of securing security data stored on a computer system. Typically, for securing 
data on a computer system, key data in the form of a password for example is provided to 
the computer system or is generated therein. The key data is typically associated with a 
single user or group. For example, the key data is in the form of a 128-bit encryption 
key. According to the invention, the key data is encoded using a data value in the form of 
a password provided by a user. The transformation of the key data, according to the 
present invention, comprises a reversible hash process. 

[0030] Preferably, the password is also hashed in an irreversible fashion and stored 
on the system to allow for password validation. An example of such a hash process is 
described below. Assuming a user's password is a series of symbols related to the user, 
as for example the user's name, the password is hashed to provide a series of symbols 
representing a transformation of the password into numerals and a conversion using a 
hexadecimal based numeric system. A result of the hashing procedure is 41 4E 4E 45. 
After the encoding step, the series of symbols is irreversibly encoded to provide a set of 
values. The set of values obtained is stored within the system to allow for comparison of 
provided passwords to ensure that they are correct. 

[0031] As is evident to those of skill in the art, the password is not stored within the 
system. The key data is encoded with the password and can be decoded therewith. A 
password provided to the system is verifiable by hashing it and comparing the result to 
the stored hash result. That said, the stored hash result is not useful for uniquely 
determining the password. 
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[0032] Advantageously, what has been typed in by a user to encode any convenient 
data key, in the case of a password for example, is unknown because it is not stored on 
the hard drive. As such, someone trying to break into the system using data mining 
software for example will fail to find the password because none is stored in the system. 
What can eventually be found is an encoded key, or PIN, or access code that is useless to 
the hacker absent the password, and a hashed password. 

[0033] The key data, which is an encoded key, is used for encoding accessible data. 
Encoding data transform them from an accessible data onto an inaccessible data. For 
example, if the accessible data are in a form of an intelligent human readable text, the key 
data transforms the readable text into a series of unintelligible symbols. Advantageously, 
the data are reversibly encoded by the data key so that a user can retrieve them upon the 
provision of the data key for decoding the encoded data. Otherwise, without providing 
the key data, only the encoded data, as for the example the series of unintelligible 
symbols are retrieved from the computer system. Further advantageously, the key data is 
provided to the system for reversibly transforming the data in one way or the other, but it 
is not stored in the computer system in unencoded form along with the encrypted data. 

[0034] Of course, instead of providing a password to the computer system for 
initiating the encoding/decoding of key data for a security purpose, another value is 
usable. Such other value originates from a smart card belonging to a user that contains 
information, which triggers the encoding/decoding for example. Of course, other 
possessions such as digital keys, PCMCIA cards, chips and so forth are useful for 
providing longer more complex access codes. 

[0035] In a subsequent step, the encoded key data is stored secured by biometric 
information of the user. For example, a fingerprint template is stored in association with 
the encoded data for retrieving the encoded data. Thus, both biometric information and a 
password or electronic code are necessary to access the key data. That said, data mining 
may provide access to encoded key data absent a step of biometric authentication. 
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[0036] Referring now to Fig. 2b, a method of accessing the secured data stored on a 
computer system is shown. In order to retrieve secured data stored within the computer 
system, the key data must be retrieved in decoded form. Retrieval of the encoded key 
data necessitates provision and registration of biometric information of the user in order 
to provide an authorization to proceed. As shown in Fig. 3, the authorization to proceed 
comprises identifying a user based on biometric information provided therefrom. This 
provides an indication that the correct person was actually present when the key data was 
retrieved. Typically, the user provides biometric information from a biometric source. 
The biometric information is characterized, processed and compared against templates 
stored in the system. Upon a match of the features extracted from the templates and the 
characterized biometric information corresponding to the biometric source provided by 
the user, an authorization to proceed is either provided or denied. Advantageously, the 
system discriminates between various types of biometric sources provided to the system. 
The biometric source is for example in the form of a fingertip, which is imaged on a 
contact imager. Furthermore, the biometric source reader is in the form of any imager as 
for example, but not limited to, a palm print imager, a retinal imager, toe print imager, or 
a hand writing recognition system. Alternatively, a voice sensor or a keystroke-timing 
sensor is used. 

[0037] Referring back to Fig. 2b, the password data is needed for decoding the key 
data, and an authorization to proceed is also required for causing the decoding process to 
be performed. Thus, even once the user is authorized and authenticated by the biometric 
identification process, the key data is unavailable in decoded form until the password is 
provided. This allows for a more secure use of biometric authentication since the key 
data is other than stored in decoded form. 

[0038] When a system supports a plurality of different login data formats, it is 
difficult to support the above method. For example, if a password or a smart card are 
usable to access a system, the key data cannot be decoded with the password or the smart 
card. Therefore, the key data are stored multiple times; each time encoded using a 
different one of the possible password data. This provides flexibility in identification and 
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enhanced security over prior art methods. For example, when a system supports multiple 
methods of logging in such as (fingerprint and password), (fingerprint and smart card), 
(retina and smart card), (voice and password and digital key), and (password and smart 
card and typing interval data), the biometric data is substantially unchanging and its use 
in encoding of the key data is typically ineffective. Thus, the key data is encoded in each 
possible fashion to support each identification method. Here, as can be seen, encoding of 
the key data with the smart card code and separately with the password supports all 
access methods - the digital key being used with the password in one of the methods. 
Thus, each method remains supported and the key data is not stored in unencoded form. 

[0039] Advantageously, as the system expands and access methods increase in 
numbers, such a method is sufficiently flexible to support changes and variations in 
system access requirements that arise over time. 

[0040] Numerous other embodiments might be envisioned without departing from the 
scope and the spirit of the present invention. 
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